Vulnerability Note VU#408419
OpenSSH contains a one-off overflow of an array in the channel handling code
Overview
OpenSSH is a program used to provide secure connection and communications between client and servers. Channels are used to segregate differing traffic between the client and the server.
Description
OpenSSH versions 2.0 - 3.0.2 contain a one-off overflow of an array in the code that handles channels. For an attack against the server, the attacker must be able to authenticate to the system in order to exploit this vulnerability. For an attack against the client, the client must connect to a malicious server. |
Impact
An attacker is able to execute arbitrary code with the privileges of the sshd process on the server. The sshd process usually runs as root/superuser. A malicious server is able to execute arbitrary code on the vulnerable client's machine with the privileges of the current user. |
Solution
Upgrade to OpenSSH version 3.1. |
Systems Affected (Learn More)
| Vendor | Status | Date Notified | Date Updated |
|---|---|---|---|
| Apple | Affected | 07 Mar 2002 | 11 Mar 2002 |
| BSDI | Affected | 07 Mar 2002 | 08 Mar 2002 |
| Caldera | Affected | 07 Mar 2002 | 02 Apr 2002 |
| Conectiva | Affected | - | 07 Mar 2002 |
| Engarde | Affected | 07 Mar 2002 | 07 Mar 2002 |
| Hewlett Packard | Affected | 07 Mar 2002 | 27 Mar 2002 |
| MandrakeSoft | Affected | 07 Mar 2002 | 07 Mar 2002 |
| NETBSD | Affected | 07 Mar 2002 | 13 Mar 2002 |
| OpenBSD | Affected | 07 Mar 2002 | 07 Mar 2002 |
| OpenPKG | Affected | - | 11 Mar 2002 |
| OpenSSH | Affected | - | 07 Mar 2002 |
| Openwall GNU/*/Linux | Affected | - | 18 Mar 2002 |
| Red Hat | Affected | 07 Mar 2002 | 11 Mar 2002 |
| SCO | Affected | 07 Mar 2002 | 13 Mar 2002 |
| Sun | Affected | 07 Mar 2002 | 07 Mar 2002 |
CVSS Metrics (Learn More)
| Group | Score | Vector |
|---|---|---|
| Base | N/A | N/A |
| Temporal | N/A | N/A |
| Environmental | N/A | N/A |
References
- http://www.openbsd.org/advisories/ssh_channelalloc.txt
- http://www.pine.nl/advisories/pine-cert-20020301.txt
- http://online.securityfocus.com/bid/4241
Credit
This vulnerability was discovered by Joost Pol <joost@pine.nl>.
This document was written by Jason Rafail.
Other Information
- CVE IDs: CAN-2002-0083
- Date Public: 07 Mar 2002
- Date First Published: 07 Mar 2002
- Date Last Updated: 02 Apr 2002
- Severity Metric: 25.65
- Document Revision: 7
Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.
View Notes By
Report a Vulnerability
Please use the Vulnerability Reporting Form to report a vulnerability. Alternatively, you can send us email. Be sure to read our vulnerability disclosure policy.